Abstract

Intrusion Detection Systems form an important component of network defense. Because of the heterogeneity of the attacks, it has not been possible to make a single Intrusion Detection System that is capable of detecting all types of attacks with acceptable levels of accuracy. In this chapter, the distinct advantage of sensor fusion over individual IDSs is proved. The detection rate and the false positive rate quantify the performance benefit obtained through the fixing of threshold bounds. Also, the more independent and distinct the attack space is for the individual IDSs, the better the fusion of Intrusion Detection Systems performs. A simple theoretical model is initially illustrated and later supplemented with experimental evaluation. The chapter demonstrates that the proposed fusion technique is more flexible and also outperforms other existing fusion techniques such as OR, AND, SVM, and ANN, using the real-world network traffic embedded with attacks.

Introduction

The probability of intrusion detection in a corporate environment protected by an Intrusion Detection Systems (IDS) is low because of various issues. The network IDSs have to operate on encrypted traffic packets where analysis of the packets is complicated. The high false alarm rate is generally cited as the main drawback of IDSs. For IDSs that use machine learning technique for attack detection, the entire scope of the behavior of an information system may not be covered during the learning phase. Additionally, the behavior can change over time, introducing the need for periodic online retraining of the behavior profile. The information system can undergo attacks at the same time the intrusion detection system is learning the behavior. As a result, the behavior profile contains intrusive behavior, which is not detected as anomalous. In the case of signature-based IDSs, one of the biggest problems is maintaining state information for signatures in which the intrusive activity encompasses multiple discrete events (i.e., the complete attack signature occurs in multiple packets on the network). Another drawback is that the misuse detection system must have a signature defined for all possible attacks that an attacker may launch against the network. This leads to the necessity for frequent signature updates to keep the signature database of the misuse detection system up-to-date.

Many of the IDS technologies are complement to each other, since for different kind of environments some approaches perform better than others. The processes followed by IDS operations for detecting intrusions are mainly by monitoring and analyzing the network activities, by finding vulnerable parts in a network, or by integrity testing of sensitive and important data. If a single IDS is to monitor all these activities, the complexity of the IDS becomes unacceptably large. If we look at the present day information system security, a network intrusion detection system would be considered the best choice to protect the machines from Denial of Service (DoS) attacks. At the same time, a host intrusion detection system would be the right choice to protect the systems from internal users. In order to protect against Trojans on systems, a file integrity checker might be more appropriate. To protect the servers from attackers, an intrusion prevention system could be the best bet. This shows that the sensors available in literature show distinct preference for detecting a certain attack with improved accuracy and that none of them shows good detection rate for all types of attacks or a complete intrusion detection coverage. Since an information system has to be protected from all types of attacks, it is most likely that we will actually need a combination of all these methods or sensors. This argument is ascertained in this chapter by looking at the usefulness of sensor fusion in intrusion detection systems.

In this chapter, the distinct advantage of sensor fusion over individual IDSs is proved. All the related work in the field of sensor fusion has been carried out mainly with one of the methods like probability theory, evidence theory, voting fusion theory, fuzzy logic theory or neural network in order to aggregate information. The Bayesian theory is the classical method for statistical inference problems. The fusion rule is expressed for a system of independent learners, with the distribution of hypotheses known a priori. The Dempster-Shafer decision theory is considered a generalized Bayesian theory. It does not require a priori knowledge or probability distribution on the possible system states like the Bayesian approach and it is mostly useful when modeling of the system is difficult or impossible (Wu, Seigel, Stiefelhagen, & Yang, 2002). An attempt to prove the distinct advantages of sensor fusion over individual IDSs is done in this chapter using the Chebyshev inequality. Threshold bounds of fusion unit are derived using the principle of Chebyshev inequality using the false positive rates and detection rates of the IDSs. The goal is to achieve best fusion performance with the least amount of model knowledge, in a computationally inexpensive way. Threshold bounds instead of a single threshold give more freedom in steering system properties. Any threshold within the bounds can be chosen depending on the preferred level of trade-off between detection and false alarms.